Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
0
Helpful
6
Replies

site-to-site VPN with asa 5525-x don't cominng UP

Rowlands Price
Level 1
Level 1

‎04-17-2019 10:19 PM

Hi,

I have a site-toèsite vpn between an asa 5520 and a cisco router, it's working fine.

now, i get a new asa 5525-X to replace the old 5520,

My issue is the vpn didn't working on the new asa 5525-X, the config with 5525 is little different with IKEv1 and IKEv2 etc.

for the moment, i back to 5520 and it's working now, the issue is the config on my new 5525

 

attached is the three configs (both asa and router)

Thanks in advance

Labels:
Preview file
8 KB
Preview file
12 KB
0 Helpful
6 Replies 6

Rowlands Price
Level 1
Level 1

‎04-17-2019 10:20 PM

Attached here is the router config which working with asa 5520

Preview file
5 KB
0 Helpful

AZaburdyayev
Level 1
Level 1
In response to Rowlands Price

‎04-17-2019 11:33 PM

It seems nat broke your VPN. Try to move

nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static

NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26

to the begining and add no-proxy-arp route-lookup

ie

conf t

no nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static

NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26

nat (inside,outside) 1 source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static

NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26 no-proxy-arp route-lookup

0 Helpful

Rowlands Price
Level 1
Level 1
In response to AZaburdyayev

‎04-18-2019 02:18 AM

Hi AZaburdyayev

this 

nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static

NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26

 

is for my Anyconnect vpn, not for site-to-site and this anyconnect is working fine..

let's me first delete the anyconnect vpn nat and try

 

Regards

0 Helpful

AZaburdyayev
Level 1
Level 1
In response to Rowlands Price

‎04-18-2019 02:42 AM - edited ‎04-18-2019 02:50 AM

hmm, I missed this maybe. You should exempt your internal network from nat.

so this is rule we are interested in

nat (inside,outside) source static vlan_serveur vlan_serveur destination static pog_network pog_network no-proxy-arp route-lookup

you should move it for the 1st position.

0 Helpful

Rowlands Price
Level 1
Level 1
In response to AZaburdyayev

‎04-18-2019 03:06 AM

Dear

according to the config, this nat is in 1st position

 

nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (inside,outside) source static vlan_serveur vlan_serveur destination static pog_network pog_network no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26

0 Helpful

AZaburdyayev
Level 1
Level 1
In response to Rowlands Price

‎04-18-2019 03:31 AM

OBJ_GENERAL_ALL includes vlan_serveur , so 1st rule nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface would nat your packet BEFORE it goes to tunnel.

nat (inside,outside) source static vlan_serveur vlan_serveur destination static pog_network pog_network no-proxy-arp route-lookup

should be before

nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents